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(54) Secure method for generating cryptographic function outputs 



(57) Data that indicates the use of a pseudorandom 
function output is used to modify at least one value used 
to produce the pseudorandom function output. In one 
embodiment, the output control signals provided to a 
User Identity Module (UIM) device are used as inputs to 
a pseudorandom function processor. As a result, the 
output provided by the processor differs based on 
whether the output from the processor is going to be 
stored in a key storage area or exported for use outside 



the UIM. This technique solves the problem of the prior 
art by insuring that values that are exported or presented 
at the output of UIM module, are different than the val- 
ues that are stored within the UIM module as key values. 
As a result, an attacker would receive values at the out- 
put of the UIM that are different than the values stored 
in the key storage unit and therefore, would not be able 
to impersonate the mobile terminal or compromise the 
privacy of the terminal's communications. 
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Description 

Background of the Invention 
Field of the Invention 

[0001] The present invention relates to communica- 
tions; more specifically, the security of the authentica- 
tion process used in communication systems. 

Description of the Related Art 

[0002] FIG. 1 illustrates a base station 10, its associ- 
ated cell 12 and mobile 14 within cell 12. When mobile 
14 first registers or attempts communications with base 
station 10, base station 10 authenticates or verifies the 
mobile's identity before allowing the mobile access to 
the communication network. The authentication of mo- 
bile 14 involves communicating with authentication 
center 16. Authentication center 16 then accesses a 
home location register 22 which is associated with mo- 
bile 14. Home location register 22 may be associated 
with the terminal or mobile by an identifier such as the 
mobile's telephone number. The information contained 
in the home location register is used to generate encryp- 
tion keys and other information. This information is used 
to supply base station 1 0 with information that is trans- 
mitted to mobile 1 4 so that mobile 1 4 can respond and 
thereby be authenticated as a mobile that is entitled to 
receive communication services. 
[0003] FIGS. 2a and 2b illustrate the authentication 
process used for an IS41 compliant network. IS41 com- 
pliant networks are networks that use, for example, 
AMPS, TDM A or CDMA protocols. In this system, both 
the mobile and home location register contain a secret 
value called A KEY. Before the actual authentication 
process can start, a key update Is performed by provid- 
ing the mobile with keys that will be used with encryption 
functions for authentication and communication. The 
AKEY value stored in the home location register asso- 
ciated with the mobile is used to produce the keys. The 
keys values calculated are the SSDA (Shared Secret 
Data A) and SSDB (Shared Secret Data B) values. 
These values are calculated by performing the CAVE 
algorithm or function using a random number R s as an 
input and the value AKEY as the key input. The CAVE 
algorithm is well known in the art and is specified in the 
IS41 standard. The network then updates the key values 
SSDA and SSDB that will be used by the mobile by 
transmitting R s to the mobile. The mobile then calcu- 
lates SSDA and SSDB in the same fashion as calculated 
by the authentication center Now that the mobile and 
home location register both contain the SSDA and SS- 
DB values, the authentication process may take place. 
[0004] FIG. 2b illustrates how a mobile is authenticat- 
ed to a network after both the mobile and home location 
register have received the keys SSDA and SSDB. The 
authentication center challenges the mobile by sending 



a random number R N to the mobile. At this point both 
the mobile and authentication center calculate the value 
AUTHR, where AUTHR is equal to the output of the 
CAVE algorithm using the random number R N as an in- 

s put and the SSDA value as the key input. The mobile 
then transmits the calculated value AUTHR to the au- 
thentication center. The authentication center compares 
its calculated value of AUTHR and the value received 
from the mobile. If the values match, the mobile is au- 

10 thenticated and it is given access to the network. In ad- 
dition, both the mobile and the authentication center cal- 
culate the value of cipher key Kq where the value Kq is 
equal to the output of the CAVE algorithm using the val- 
ue R N as an input and the value SSDB as the key input. 

15 At this point, communications between the mobile and 
network are permitted and may be encrypted using an 
cryptographic function where the inputs are the mes- 
sage to be encrypted and the key value is Kq. 
[0005] Since the values SSDA and SSDB are used to 

20 verify or authenticate the mobile terminal's identify, it is 
important that an imposter mobile terminal does not ob- 
tain these values. Additionally, the key value Kc is used 
for encrypting communications with the mobile terminal 
and if this value is obtained by an outsider, the privacy 

25 of the communications may be compromised. 

[0006] FIG. 3 is a function block diagram of a user 
identity module or smart card that is typically used in 
communication devices. User identity module (UIM) 30 
contains a key value storage memory 32 which is pref- 

30 erably a nonvolatile memory. Pseudorandom function 
(PRF) unit 34 contains a processor that executes psue- 
dorandom functions such as cryptographic functions 
and one-way cryptographic functions or hash functions. 
Pseudorandom function unit 34 is used to generate an 

35 output on line 36 based on a key values provided by key 
storage unit 32, an input value received from an input to 
UIM 30 and a function select provided to UIM 30. The 
key value provided to PRF unit 34 is based on a key 
select input provided to UIM 30. PRF unit 34 selects a 

40 psuedorandom function to execute based on the func- 
tion select input, and uses the input and key values as 
inputs to the selected pseudorandom function to pro- 
duce an output on line 36. The output on line 36 is pro- 
vided to either key storage area 32 where it is stored as 

45 a key value, or to the UIM output for export and use by 
the communication terminal containing UIM 30. The de- 
termination of whether to provide the outputs on line 36 
to key store unit 32 or to the output of UIM 30 is made 
by output controller 40 based on an input received on 

50 line 42. This configuration is susceptible to an attack 
where an outsider provides UIM 30 with the inputs nec- 
essary to generate the values SSDA, SSDB or Kc while 
manipulating the values at input 42 so that the values 
SSDA, SSDB or K c can be diverted to the output of the 

55 UIM rather than to key storage 32. 
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Summary of the Invention 

[0007] The present invention solves the aforemen- 
tioned problem by using data that indicates the use of a 
pseudorandom function output to modify at least one 
value used to produce the pseudorandom function out- 
put. In one embodiment, the output control signals pro- 
vided toaUlM device are used as inputs to a psuedoran- 
dorn function processor. As a result, the output provided 
by the processor differs based on whether the output 
from the processor is gong to be stored in a key storage 
area or exported for use outside the Ul M. This technique 
solves the problem of the prior art by insuring that values 
that are exported or presented at the output of UIM mod- 
ule, are different than the values that are stored within 
the UIM module as key values. As a result, an attacker 
would receive values at the output of the UIM that are 
different than the values stored in the key storage unit 
and therefore, would not be able to impersonate the mo- 
bile terminal or compromise the privacy of the terminal's 
communications. 

Brief Description of the Drawings 
[0008] 

FIG. 1 illustrates the communication between a mo- 
bile and authentication center; 
FIGS. 2a and 2b illustrate the key update and au- 
thentication process for an IS41 compliant network; 
FIG. 3 illustrates a functional block diagram of a us- 
er identity module; 

FIG. 4 illustrates a functional block diagram of a us- 
er identity module where the output control changes 
the values produced by a psuedorandom function 
processor; and 

FIG. 5 illustrates how data indicative of the use of 
a pseudorandom function output is used to modify 
a value used to produce the pseudorandom func- 
tion output. 

Detailed Description of the Invention 

[0009] FIG. 4 illustrates a block diagram of a user 
identity module (UIM) 60 containing a key storage ele- 
ment 62, a psuedorandom function (PRF) processor 64 
and an output controller 66. UIM module 60 may be fab- 
ricated on a single silicon device or in a sealed package. 
Key store device 62 may be implemented using a non- 
volatile memory such as an electrically erasable pro- 
grammable read only memory (EEPROM). Psuedoran- 
dom function processor 64 may be implemented using 
a microprocessor or microcomputer that executes a pro- 
gram that implements one or more psuedorandom func- 
tions. The psuedorandom functions may be implement- 
ed in terms of an algorithm or a combination of an algo- 
rithm and a look-up table. Psuedorandom functions may 
be functions such as cryptographic functions and/or 



one-way cryptographic functions such as hash func- 
tions. The pseudorandom functions may also be any of 
the well known pseudorandom functions specified in tel- 
ecommunication standards such as IS41 or GSM. Proc- 

5 essors that produce an output from a psuedorandom 
function are well known in the art and are used in many 
mobile communication terminals. Output controller 66 
may be a switch or multiplexer that provides the output 
from PRF processor to key storage unit 62 for storage 

io or to the output of UIM 60 for export based on signals 
provided on input 68. The control signals received on 
input 68 are also provided as an input to pseudorandom 
function processor 64 where the signals may be used 
to modify values that are used to produce a pseudoran- 

15 dom function output Key storage unit 62 provides a key 
value to PRF processor 64 based on inputs received on 
input 70. The output control signals may also be provid- 
ed as an input to key storage unit 62 and used to modify 
the identifier or pointer used to select the key value sup- 

20 plied to PRF processor 64. 

[0010] FIG. 5 illustrates the process by which PRF 
processor 64 produces an output. The pseudorandom 
random function identifier data or value from function se- 
lect input 72 is illustrated by bit field 100, the input data 

25 or value from input 74 is illustrated as bit field 102, the 
key pointer data or value from input 70 is illustrated as 
bit field 104 and the output control data or value from 
input 68 is illustrated as bit field 106. Output control field 
106 may be used to modify the output produced by PRF 

30 processor 64 in several ways. For example, one or more 
bits of output control field 106 may be used to modify 
the bits in key select field 104 which is used as a pointer 
to key values in key storage 62. It is also possible for 
one or more bits of output control filed 106 to modify 

35 input field 102 or modify function select field 100. The 
modification may include an arithmetic or logic opera- 
tion, or a simple concatenation of bits. 
[0011] PRF processor 64 selects a pseudorandom 
function F in step 1 1 0. This selection is based on bit field 

40 1 00 which may be modified as discussed earlier using 
one or more bits from output control field 106. In step 
1 1 2, PRF processor 64 inputs a key value from key stor- 
age unit 62. The pointer which identified the key value 
for step 112 may be modified using one or more bits of 

45 output control field 1 06. It is also possible for processor 
64 to execute step 114 and to modify the key value re- 
ceived from key storage 62 using one or more bits from 
output control field 106. As discussed above, the mod- 
ification may involve an arithmetic or logic operation, or 

so a simple concatenation of bits. In step 116, PRF proc- 
essor 64 inputs the values from input filed 102. This field 
may also be modified using one or more bits from output 
control field 106. In step 118, PRF processor 64 exe- 
cutes the pseudorandom function using the key value K 

55 and the input value I to produce an output which is then 
sent to output control unit 66 in step 1 20. 
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Claims 

1. A method for producing an output using a pseudor- 
andom function, comprising the steps of: 

receiving a value used as an input to produce 
a pseudorandom function output; 
modifying the value based on a use of the pseu- 
dorandom function output to produce a modi- 
fied value; and 

producing a pseudorandom function output us- 
ing the modified value. 

2. The method of claim 1 , wherein the value identifies 
a key value to be used as an input to the pseudor- 
andom function. 

3. The method of claim 1 , wherein the value is a key 
value to be used as an input to the pseudorandom 
function. 

4. The method of claim 1 , wherein the value identifies 
one of a plurality of pseudorandom functions. 

5. The method of claim 1 , further comprising the step 
of receiving data indicating that the output of the 
pseudorandom function is to be stored. 

6. The method of claim 1 , further comprising the step 
of receiving data indicating that the output of the 
pseudorandom function is to be stored as a key val- 
ue. 

7. The method of claim 1 , further comprising the step 
of receiving data indicating that the output of the 
pseudorandom function is to be exported. 

8. A method for producing an output using a pseudor- 
andom function, comprising the steps of: 

receiving data, where the data indicates a use 
of a pseudorandom function output, and where 
the data comprises at least one of an input val- 
ue, a key value, a key pointer value and a pseu- 
dorandom function identifier value; 
modifying at least one of the input value, the 
key value, the key pointer value and the pseu- 
dorandom function identifier value, based on 
the use of the pseudorandom function output to 
produce at least one modified value; and 
producing a pseudorandom function output us- 
ing at least one modified value. 

9. The method of claim 8, wherein the data indicates 
that the output of the pseudorandom function is to 
be stored. 

10. The method of claim 8, wherein the data indicates 



that the output of the pseudorandom function is to 
be stored as a key. 

11. The method of claim 8, wherein the data indicates 
5 that the output of the pseudorandom function is to 
be exported. 
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(54) Secure method for generating cryptographic function outputs 



(57) Data that indicates the use of a pseudorandom 
function output is used to modify at least one value used 
to produce the pseudorandom function output. In one 
embodiment, the output control signals provided to a 
User Identity Module (UIM) device are used as inputs to 
a pseudorandom function processor. As a result, the 
output provided by the processor differs based on 
whether the output from the processor is going to be 
stored in a key storage area or exported for use outside 



the UIM. This technique solves the problem of the prior 
art by insuring that values that are exported or presented 
at the output of UIM module, are different than the val- 
ues that are stored within the Ul M module as key values. 
As a result, an attacker would receive values at the out- 
put of the UIM that are different than the values stored 
in the key storage unit and therefore, would not be able 
to impersonate the mobile terminal or compromise the 
privacy of the terminal's communications. 
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